Australian firms grappling with “train-smash” of security legislation

Australian enterprises are navigating “a train-smash” of legislation and regulations on cyber security, according to the head of AustCyber, a government-funded organisation tasked with developing the cyber security industry.

During a recent roundtable event organised by Aura Information Security, a cyber security consultancy, AustCyber CEO Michelle Price warned that “legislation, regulation, standards and guidance are creating enormous confusion across the economy”. And unless the issues are addressed, Australia’s competitiveness will be affected, she added.

Many Australian businesses are struggling to navigate the almost constant flux of regulation and legislation on cyber security and privacy.

In July 2019, Australia’s Competition and Consumer Commission recommended a further review of the Privacy Act as part of its review of the digital platforms market.

At the same time, the Australian Prudential Markets Authority released a new security standard that requires the organisations it regulates to notify it within 10 days of any “material information security control weakness” that cannot be fixed quickly.

Jennifer Stockwell, national cyber security advisor for Australian telco Telstra, who spoke at the roundtable, said she hoped to see more coherence from regulators in future, and called for businesses to adopt a “more risk-based approach rather than compliance approach” towards cyber security.

That, however, may require businesses to seek external support and advice – and Australia has been lagging in that regard.

Research from Ecosystm, a technology consulting firm, revealed that just 29% of Australian businesses have sought third-party advice about cyber security and risk, compared with 50% globally.

But it is not that advice is not readily available – the community of specialist cyber security advisory companies in Australia continues to grow.

Price believes there are about 500 such companies now operating across Australia, and AustCyber is working with 300 of them.

She said 80 of those companies are high-performing operations with international ambitions, but acknowledged that there is a “grey ” to navigate, with some cyber security firms playing on both sides of the fence.

“We try to act as an independent filter. We vet every company that comes in,” she said, adding that two companies have been kicked out for grey- activities.

AustCyber, with a team of 11 people, received A$3.5m from federal, state and territory governments this year to support the growth and development of Australia’s cyber security sector.

A more vibrant cyber security industry could spur businesses into shoring up their cyber security practices, though Aura’s Australia country manager, Michael Warnock, noted that businesses remain at the “fork in the road where cyber security is seen as a handbrake rather than an accelerator”.

Warnock argued that organisations that have been able to demonstrate an enhanced security posture can gain a competitive edge, but acknowledged that there is no clear way for a company to prove it has secured that advantage.